IETF Logo Mail Archive

Re: [scim] SCIM v3?

"Matt Peterson (mpeterso)" <Matt.Peterson@oneidentity.com> Tue, 09 June 2020 16:03 UTC

Return-Path: <Matt.Peterson@oneidentity.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF0493A08BB for <scim@ietfa.amsl.com>; Tue, 9 Jun 2020 09:03:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=oneidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8O17LJ4lz2vW for <scim@ietfa.amsl.com>; Tue, 9 Jun 2020 09:02:59 -0700 (PDT)
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12on2123.outbound.protection.outlook.com [40.107.243.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4B5B3A08B9 for <scim@ietf.org>; Tue, 9 Jun 2020 09:02:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=b7n+uA4ptMRVvHJFmgqP7sZONOx7W83rbY8epdQcjsSdtY597pVTm2tYNRtoLYpJ3zzLzaYHAb4aW2Mzbzm3YFDj4sO4oYnCywkmNAJD0fV/ZfY1DgwjFBH/3mq1PmiC2q7qLsYqAOX/Bw5X94u3MePdGZNVjt3wNZJ+whvp8HqyWnuNYHVrWYWtX22JjqEuyFmv2kbjmicrmCsm2gkKGTqiyHKyEsXSgV+d1fhU+g06msCw8GZ39tlTrFZZOmwO7pUzPSslTm9GsZ3zsIyT13F6UGfL2K6cmEuq3Z+2MJJZknFfsaoBEpZjxF5JaXvAzRFlp7j+75x2n3Lr5QAlmA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Fwa8oV3Dc0GFFNmhocvhOEGGItISsD2RrGKtbfz22Gg=; b=c6xrgBQeX53JyE4p8w3G77Cx/Nuee93zSEdAXQcPqo4alymJnIGzRbwHeltLLVbyGLyVVCht51g5w1tyOv+TK56F5vVhwuoO2iIaM6auqYI1Cuglda6Es31GjNjUThfrgxEzJUYWCkYDI84rnz65arVtoiSx7x+YxluXLuGg831Wog/vYqFpcTw56K/1CwZ09wrju8dUmgIoU6K6rvJhvsqhiXojmLe0/S61Bbwa10Nuo4jlsPqcs7Tm3UlqqDlxn+nZJGBp360hTtzXDDqHCLgMyYeIUusBBW1KBPWf0d2AcTxZneGIqFYjdXxMqG0JjstwppP3zU9txAVaXMShSg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oneidentity.com; dmarc=pass action=none header.from=oneidentity.com; dkim=pass header.d=oneidentity.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oneidentity.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Fwa8oV3Dc0GFFNmhocvhOEGGItISsD2RrGKtbfz22Gg=; b=lhGlFCvriJLwhMA/fX5AD1IkY9Iio/3fdWv6ijteAK0xlLFXDtLXgDTtonAt3qGe228IdqhHYxZF5eosFdGaUGnjdUy/mOQemMtsWnURBMud+rkR3vrUm2PtkBT+oHs4gwcYLHFYZVhvdZL2tpr9CzE/R7TaIg07MaJEr2T8byw=
Received: from DM6PR19MB3769.namprd19.prod.outlook.com (2603:10b6:5:229::19) by DM6PR19MB4107.namprd19.prod.outlook.com (2603:10b6:5:246::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.18; Tue, 9 Jun 2020 16:02:57 +0000
Received: from DM6PR19MB3769.namprd19.prod.outlook.com ([fe80::300a:4b79:fc6:78d4]) by DM6PR19MB3769.namprd19.prod.outlook.com ([fe80::300a:4b79:fc6:78d4%8]) with mapi id 15.20.3066.023; Tue, 9 Jun 2020 16:02:56 +0000
From: "Matt Peterson (mpeterso)" <Matt.Peterson@oneidentity.com>
To: Darran Rolls <me@darranrolls.com>, "scim@ietf.org" <scim@ietf.org>
Thread-Topic: [scim] SCIM v3?
Thread-Index: AQHWPCYIftrO9ji/AUueiiOD1vRo+qjL+hAAgAJs2wCAABHxgIAAalKAgAAIlQCAAPqsgIAAjnsw
Date: Tue, 09 Jun 2020 16:02:56 +0000
Message-ID: <DM6PR19MB3769D730481CF3DCBD84FBC8E1820@DM6PR19MB3769.namprd19.prod.outlook.com>
References: <F4D06C51-8D39-4AA3-83B0-6D6982C451C7@cisco.com> <A9824A60-BFB0-4047-8C09-6328CE497E36@independentid.com> <CA+7VvRZ0HVo_hTk_zx+bt+d5T9T0gue2VeY5tN1haSwG_xA-bg@mail.gmail.com> <21CF422B-4F2F-41E6-AC48-9B37929A5E25@darranrolls.com>
In-Reply-To: <21CF422B-4F2F-41E6-AC48-9B37929A5E25@darranrolls.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: darranrolls.com; dkim=none (message not signed) header.d=none;darranrolls.com; dmarc=none action=none header.from=oneidentity.com;
x-originating-ip: [166.70.31.124]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9ba941c2-4636-495f-0f0a-08d80c8e9348
x-ms-traffictypediagnostic: DM6PR19MB4107:
x-microsoft-antispam-prvs: <DM6PR19MB4107E2D24C174A88FA7FE60FE1820@DM6PR19MB4107.namprd19.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 042957ACD7
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Aa4Yx98v+JdITxRH5JyC3lwb81tNnKQeMZeFiOk91Z+ysy8IsOusLKIQ/wARlH8wQZ3jvMtNL8/RvuC6uk6OQqHoKAnh5Fb3fu59reUh68uSQyzfM/idEZkIDsPaECpG/59sCqnfUrKiZBKhDHhTIT15kPNyyeOTzT2NhGF82Y4XPrqyCbTKPampuRoC1fyr8PLCL788Yz+OVopOM0JFor47fCrRKU/d9eWQC9Isq+PNlSKeOwq/Ek1njruvD9e2/L+G++DatjIFF9akydS8zQLFEXpSVaziWnR40ASfUTZr5F+hOmMYi5SVcoypL+P+uYDyEiKSaFjAg95NpGr1qnmTvs54SzbQE8WaCGRMSaNKCGYOVSjM7qpnzsYnacrIWrYWdi+ECTD4MJlPMvE3lw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR19MB3769.namprd19.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(346002)(136003)(396003)(39850400004)(366004)(52536014)(2906002)(83380400001)(316002)(110136005)(966005)(71200400001)(45080400002)(33656002)(166002)(8936002)(186003)(478600001)(7696005)(55236004)(55016002)(9686003)(66446008)(66946007)(6506007)(76116006)(8676002)(64756008)(66476007)(53546011)(66556008)(86362001)(26005)(5660300002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: SfylrwG5QR206ndmZLo8iL8MUcqInrspxoWoHlb9mGZlC7mKRwaddbs7DeS0paBsLq9GZOdBdvNKGJ7NQMoau0W17xJVpGIw1/lCxUhLkrbXaBKVJhUzkWMDLz0Az0nl0WtnV9W/Vg3ov5bv/oGGvAyW5MyJN7qI0PFsegy6AD2fNcGRYlM4bAFm0bkJJQzL61XwWlDSBfktKfQnYnRhXF2cxrkCAhwWbKiwzBIXROWSx2bDO9I08FFVFWp8pv9Q6/PKs5IkGqKKV/JsPziE+3pUUkIYU32HQ2AflmEjLFOAPn3vdrG47EegSnRiT626/Pan2XBfNfAg5tp95HI2cjTz14zvYhwZ7u2Vbshpggm32GOKsQuAldfKTNjTwg8wq1xYrK1Ef8VCARP6Z1cbU+IUWa61ZSx0zZ8IVN93w686LdD5vJ2IbxM9oNIME4VxE71CkXnQa6XfRyWLPsg60UJwmtv7CzuFTm2rzUioVvwD8JB+1p+/Lnq1WEsrgevt
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR19MB3769D730481CF3DCBD84FBC8E1820DM6PR19MB3769namp_"
MIME-Version: 1.0
X-OriginatorOrg: oneidentity.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9ba941c2-4636-495f-0f0a-08d80c8e9348
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jun 2020 16:02:56.7712 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 91c369b5-1c9e-439c-989c-1867ec606603
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vqKH4hzUeqpEZezxtRyJ8bVEgxdZXpa7/9efn97KSzyPkvBqpRmQJn5LQNJ7ayedXV7SBs/6ThI/UFBCm3QZxw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR19MB4107
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/Ebx5OM6yZovUZh8g9FlQL2GzqOQ>
Subject: Re: [scim] SCIM v3?
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jun 2020 16:03:02 -0000

Darran,

Thank you for organizing.

I can make all of these times work.

Just let me know which of the datetimes you’ve selected (post meeting details to SCIM WG list)

Regards,

--
Matt Peterson
Distinguished Engineer
Quest Software, Inc

From: scim <scim-bounces@ietf.org> On Behalf Of Darran Rolls
Sent: Tuesday, June 9, 2020 6:27 AM
To: scim@ietf.org
Subject: Re: [scim] SCIM v3?

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

So, I read lots of interest to restart and contribute – excellent.

In the interest of rapidly moving towards a strawman charter, I’ll take a first pass at what that charter might look like and send it out here for comment.  If no one has any objection, I propose we set a time for an “interest-group call” mid/late next week?  I  know it’s tricky and a little unfair to throw out call times without more prior planning BUT if we can move this along quickly we can catch the IETF 108 train.

So, is there support to hold one of the following times next week for a conversation on that (to be sent) strawman charter?  LMK if anyone feels that’s too tight or unfair for folks that are interested but can’t make it and we can stick to a list-only conversation.

10am Central US Wednesday 24th
11am  Central US Wednesday 24th
---
10am Central US Thursday 25th
11am  Central US Thursday 25th
---
10am Central US Friday 26th
11am  Central US Friday 26th

Thanks
Darran

From: Paul Lanzi <paul@remediant.com<mailto:paul@remediant.com>>
Date: Monday, June 8, 2020 at 11:30 AM
To: Darran Rolls <me@darranrolls.com<mailto:me@darranrolls.com>>, "scim@ietf.org<mailto:scim@ietf.org>" <scim@ietf.org<mailto:scim@ietf.org>>
Subject: Re: [scim] SCIM v3?

Darran, all --

I think a relook at some of the items you mentioned would be great -- count me in!

On this topic:
> Ratification of extension to address Privilege Account Management user cases

We've had some discussions with the SailPoint folks (most notably: David Lee, Matt Domsch and more recently, Adam C) that the current SCIM-PAM API is very specifically focused on supporting password-vault use cases, and doesn't have an allowance for the Just-In-Time PAM approach. Both the Identity Defined Security Alliance (IDSA) and Gartner have recently recognized this approach, and I think it would make sense to further extend the SCIM-PAM proposal to also include the use cases around JIT PAM. I'm happy to help contribute towards the technical work needed to do so.

Thanks,

--Paul
--Co-Founder @ Remediant
[Image removed by sender.]ᐧ

On Mon, Jun 8, 2020 at 8:59 AM Phillip Hunt <phil.hunt@independentid.com<mailto:phil.hunt@independentid.com>> wrote:
Thanks Elliot.

A number of these features including MVA filtering and paging are based on a desire to build front end IDM management UIs to SCIM API providers.

One could say this would begin to move SCIM from a provisioning protocol to a “directory” protocol. Is SCIM Directory a theme that would drive interest in a new charter?
Phil

On Jun 8, 2020, at 2:38 AM, Eliot Lear <lear@cisco.com<mailto:lear@cisco.com>> wrote:
Hi Paul,

As a hanger-on, I like your list.  I don’t see the value in paging, but clearly a great many others do, so I have something to learn.

Eliot

On 8 Jun 2020, at 10:34, Paul Logston <paul.logston@gmail.com<mailto:paul.logston@gmail.com>> wrote:

Hi Darran and Phil,

I am interested in being part of this discussion. I work for a company that regularly uses the SCIM protocol and we have a use for a number of the extensions Darran suggested above.

Best,
Paul

Paul Logston
(510) 755 - 4474
paul.logston@gmail..com<mailto:paul.logston@gmail.com>
linkedin.com/in/paullogston<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fpaullogston%2F&data=02%7C01%7Cmatt.peterson%40oneidentity.com%7C5db21cbf90e34344bd7208d80c7071e5%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637273024377953654&sdata=%2Bn5gdJ6edh633qn6XxY9cQpepUlNS8ue0o4Qm4c3%2Bz4%3D&reserved=0>



On Sun, Jun 7, 2020 at 3:32 AM Phillip Hunt <phil.hunt@independentid.com<mailto:phil.hunt@independentid.com>> wrote:
Darran

Good to hear!

I am not sure these items require a v3. I believe these all can be done via extensions thus maintaining backwards compatibility.

For example I did submit a proposal for paged attributes based on the current drafts.

https://tools..ietf.org/html/draft-hunt-scim-mv-paging-00<https://tools.ietf..org/html/draft-hunt-scim-mv-paging-00>

I think we have to see if there is sufficient interest to charter a WG and determine interest in specific items.

Another long term issue compliance issues. For this we to find an independent organization to develop and host an interop test suite as compliance testing is not something the IETF does.  This will likely require direct donation of funds and time. This is how things happened for OIDC testing.
Phil Hunt

On Jun 6, 2020, at 10:15 AM, Darran Rolls <me@darranrolls..com<mailto:me@darranrolls.com>> wrote:
Hello SCIM folks,

To introduce myself to the group, up until March of this year I was the CTO at SailPoint and worked with Kelly Grizzle and Matt Domsch on all things identity standards.  I'm now consulting and engaging on various projects around the IAM space.

Having chatted with Leif and Morteza directly, I wanted to bring a discussion back here to the full WG alias.  As several of you will already know, I’d like to formally make a request to re-chartering this WG.  The goal of the WG would be to address the ratification of the following work items:


  *   Protocol /operational enhancements

     *   Multi-value paging & cursor pagination
     *   Relying party user provisioning
     *   Soft Delete
     *   Interop and testing capabilities

  *   New schema to address

     *   Extended HR /user data and related action events
     *   Ratification of extension to address Privilege Account Management user cases

I therefore seek your comments and input on this  proposal.  Are you interested to participate?  What is missing from the above list of work items?  Is there support for an informal interest-group call sometime in the next two weeks?

Thanks
Darran

--
https://www.darranrolls.com<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.darranrolls.com%2F&data=02%7C01%7Cmatt.peterson%40oneidentity.com%7C5db21cbf90e34344bd7208d80c7071e5%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637273024377963644&sdata=bXOxov%2Bb6Uv8TUz2MzT3r8WWxjfPlUfgItLzdEAIqx8%3D&reserved=0>
LinkedIn<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fdarran-rolls-068b84&data=02%7C01%7Cmatt.peterson%40oneidentity.com%7C5db21cbf90e34344bd7208d80c7071e5%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637273024377963644&sdata=TRDpbynBCV5KTOnaPD5h9N0y4GLkC11zvG%2FP9s4Wtgg%3D&reserved=0> @djrolls<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fdjrolls&data=02%7C01%7Cmatt.peterson%40oneidentity.com%7C5db21cbf90e34344bd7208d80c7071e5%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637273024377973637&sdata=%2BhyjRylQQnF1%2BLQcrGtxBLsoYj3DMYtXpamBfQtCEn8%3D&reserved=0>

_______________________________________________
scim mailing list
scim@ietf.org<mailto:scim@ietf.org>
https://www.ietf.org/mailman/listinfo/scim<https://www.ietf..org/mailman/listinfo/scim>
_______________________________________________
scim mailing list
scim@ietf.org<mailto:scim@ietf.org>
https://www.ietf.org/mailman/listinfo/scim<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fscim&data=02%7C01%7Cmatt.peterson%40oneidentity.com%7C5db21cbf90e34344bd7208d80c7071e5%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637273024377973637&sdata=ORAP%2BRKwEM49mqtiK9xXaPaKW3fPPpiHQoO6WIs6BI0%3D&reserved=0>
_______________________________________________
scim mailing list
scim@ietf.org<mailto:scim@ietf.org>
https://www.ietf.org/mailman/listinfo/scim<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fscim&data=02%7C01%7Cmatt.peterson%40oneidentity.com%7C5db21cbf90e34344bd7208d80c7071e5%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637273024377973637&sdata=ORAP%2BRKwEM49mqtiK9xXaPaKW3fPPpiHQoO6WIs6BI0%3D&reserved=0>

_______________________________________________
scim mailing list
scim@ietf.org<mailto:scim@ietf.org>
https://www.ietf.org/mailman/listinfo/scim<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fscim&data=02%7C01%7Cmatt.peterson%40oneidentity.com%7C5db21cbf90e34344bd7208d80c7071e5%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637273024377983637&sdata=NH9r61k7rN32vEKqgCoJLsMPIJqmnaaVfaeI9RfkeRs%3D&reserved=0>

v2.23.0 | Report a Bug | By Email